Messages

Two quick updates to report as I had a small breakthough into making the PowerShell Module more user friendly going forward.

- I'll publish a Dockerfile soon, so anyone can easily test the PowerShell module in a container.
- I am adding the ability to 'mount' and browse the OPNsense Menu and Items like it were a filesystem.

It's just a proof-of-concept, but it's working for some objects already:

It seems there is currently no GUI for this plugin. You can edit the conf file manually:
https://forum.opnsense.org/index.php?topic=3130.0

If you have PowerShell installed on a workstation, you can easily import the users using my PS_OPNsense PowerShell Module. It's still in development but this should work:

Code Select Expand

Import-Module PS_OPNsense
Connect-OPNsense -Url $url -Credential $apicredential -SkipCertificateCheck

# Import users from CSV file
$users = Import-Csv -Path U:\opnsense\passwords.csv

# Loop the users
foreach ($user in $users) {
    # Build the Freeradius user JSON string
    $json = '{{ "user": {{ "enabled": 1, "password": "{0}", "username": "{1}" }} }}' -f $user.password, $user.username

    # Invoke the API call to create the user
    Invoke-OPNsenseCommand -Module freeradius -Controller user -Command adduser -Json $json -Method POST
}

# List all the Freeradius users
Get-OPNsenseItem -Freeradius User

Disconnect-OPNsense

I'm biassed towards PowerShell and it is very suitable for jobs like this. The Invoke-Command is a bit of a hack because I haven't implemented the New-OPNsenseItem cmdlet yet. But once you get the hang of the API it's fairly straightforward to script against OPNsense.

It's been a while, but today I've updated the master banch with version 0.1.5 of PS_OPNsense. There have been a lot of changes under the hood that should make maintaining the code a lot easier towards the future.

Notable changes:

• Improved Firmware Updates (see screencast below)
• Drastically reduce the number of cmdlets and code base
• Use OpenAPI json specification for describing the API calls
• Strong typing of CRUD Items allowing cmdlets to identify objects coming from the pipeline
• All CRUD Items can now be queried and removed using Get-OPNsenseItem ans Remove-OPNsenseItem
• Base functionality to query all Settings, but needs more work
• Install, remove, lock, unlock and list Packages and Plugins
• Added legacy cmdlets to query Vlans and Certificates

e.g. remove HAProxy server named Web001:

Code Select Expand

Get-OPNsenseItem -HAProxy Server -Filter 'web001' | Remove-OPNsenseItem

I'll be updating the documentation for PS_OPNsense and the API Reference next.

Neat! That looks very cool indeed. Good job!

The SQLite database is located here:

Code Select Expand

$database_filename = '/var/captiveportal/captiveportal.sqlite';

You can also make the SessionId visible in Services > Captive Portal > Sessions
Then click the column drop-down list -right to the search field- to enable Session. The list will now show the SessionId information in the Web GUI.

Good to hear this is working and thanks for reporting back.
I have both W52 and T38 as well and it's good to know they can be setup with opnsense opnvpn!

How do I get a more verbose response?

This works for me:

Code Select Expand

#/usr/bin/python

# import libraries
import json
import requests

# define endpoint and credentials
api_key = ''
api_secret = ''

url = 'https://127.0.0.1/api/routes/routes/addroute'
headers = {'content-type': 'application/json'}
payload = '{"route": {"network": "10.0.50.0/24", "gateway": "LAN_DHCP", "descr": "vlan50", "disabled": "0"}}'

# Make the api call
r = requests.post(url, data=payload, verify=False, auth=(api_key, api_secret), headers=headers)

# Check response
if r.status_code == 200:
    print r.text
    response = json.loads(r.text)

    if response['result'] == 'saved':
        print ('The payload was successfully saved !')
        print (response['result'])

else:
    print ('Connection / Authentication issue, response received:')
    print r.text



Just change the gateway field to the name you want as a string. Also the JSON keys/values should be in double quotes:

Code Select Expand

payload = '{"route": {"network": "10.0.50.0/24", "gateway": "LAN_DHCP", "descr": "vlan50", "disabled": "0"}}'

200 OK
{ "result": "saved" }

[need]

I have configured opnvpn on a Yealink phone a while ago... not to opnsense but a cloud vpn.
What type of phone and firmware version are you using. I remember that the format can depend from phone to phone and version to version...

Try renaming your files using this naming convention and folder layout. It is very picky about the filenames and folders.

Code Select Expand

clientconf
├── keys
│   ├── ca.crt
│   ├── client.crt
│   └── client.key
└── vpn.cnf

Code Select Expand

cd clientconf
# from within the clientconfdirectory:
tar -c vpn.cnf keys/* -f openvpn.tar

You need to run the tar command from within the folder itself. Otherwise the paths will get mangled and the file won't work.
Upload that file in the Web GUI or via your provisioning system.

This docker is a great tool. It worked for me on the first run and now I'm able to write & compile docs... I wouldn't know where to start building Sphinx from scratch, so I took this shortcut.

Next up is to figure out reStructuredText syntax.  :D

Your best chance is to scrape the source code. I have compiled a list of api commands from the source code here.

If you have PowerShell you can take a look at my PowerShell Module PS_OPnsense that's in the works. It's purpose is to automate OPNsense management. PowerShell Core 6 is cross-platform as well. If you are looking for specific functionality I might be able to include that.

There are some ruby and cli api clients out there as well.

Just a quick update as I have merged a new dev version of PS_OPNsense into master today.

It now has cmdlets for most of the HAProxy objects. However not all the advanced options and properties are available yet, but it is coming along fine... It is now possible to get, add and remove Servers, Backend pools, Frontend services, Error files and Lua scripts.

Furthermore, there is a new Examples folder in the project which shows how to implement these cmdlets into scripts.

I'm also implementing automated Pester tests into the development process to reduce the time needed to test and validate all functions. This already comes in handy when testing the module on new platforms and OPnsense releases. I have PowerShell with PS_OPNsense running in Ubuntu 18.04 beta. The module is indeed working in PowerShell Core 6.0.1 for Linux ;D

So lots of progress and lots of new ideas for additions and improvements to come... Last but not least, any feedback and testing is encouraged. :)

The information is all on the WebGUI, so form what I understand it should be accessible via the API?

How are the URLs for the API built? Is that the wrong way to go on OPNsense?

From my experience you can look at the URI in the WebGUI and you'll notice that it either starts with /ui/modulename/... or it ends in *.php. The former is code using the new MVC model and it has APIs behind it. The latter (.php) pages are legacy code and do not have an API yet.

When there is an API behind the page it follows the syntax /api/<module>/<controller>/<command> and usually returns a json object. And indeed you can do pretty much the same as with the GUI. A comprehensive list can be found here.

The only thing, like franco mentioned, is that not all parts have been converted to this model, but with every release more and more functions are reworked using the MVC model.

Quagga and FRR do have the same API. I have not changed it (API endpoints are the same as well as the data stored). So currently an API client for FRR is also an API client for quagga.

Theat's great news :). There was quite an increase in the Action() functions when I did a git grep on the new code. I didn't realize net/frr and net/quagga actually shared the same api calls... so yeah, it shouldn't make much difference in the end. Thanks for this clarification!

Another frequently used plugin is HAProxy (often used in combination with the Let's Encrypt plugin). This one might be complicated but from what I read here it feels like to be the most used plugin.

Alright I'll start working on cmdlets for the HAProxy functionality and see how it goes.